2
Situation
My organization wants to have a site-wide USB encryption policy where all USB drives are encrypted if used within our environment. This will be done via Bitlocker/MBAM. If a user inserts a USB drive, it forces them to encrypt - otherwise it doesn't mount the drive and they can't use it.
Concern
Encrypting all USB disks with Bitlocker will make them useless as bootup devices, correct? (Considering it is pre-OS and the USB drive would not be accessible as a boot disk) One of our teams uses non-encrypted, USB drives as boot disks for imaging machines and this would break their ability to use those drives. If we allow an exemption for their USB drives, then we have a gap in security, and if I encrypt them then we lose our ability to image with USB drives.
If I don't encrypt the USB image drives then we have a security gap, if I do encrypt them I break something.
Curious to know if anyone has encountered this conundrum, and how you solved it?
Tucker
Posted 2018-04-03T18:56:22.200
Reputation: 51
You can image a BitLocker encrypted storage device without a problem, of course, once you recover that image to another storage device, you will have to provide the recovery key. I am not sure I understand your question, to be honest. You told us nothing about your imaging process though, it only works the way describe, if you are doing a sector by sector copy of the entire disk. – Ramhound – 2018-04-03T19:05:41.097
I thought I explained that with: "We image all of our machines via USB disks with a basic OS on them to select your imaging options, etc. Due to the bitlocker encryption, won't they fail as boot devices?"
I will touch it up though. – Tucker – 2018-04-03T20:27:45.707
I reformatted the question. Let me know if that makes more sense please. – Tucker – 2018-04-03T20:37:37.797
Asking how others solved a situation like this is too broad. Instead, ask how to boot from BitLocker encrypted USB drives. (If you still want to ask how to have the best of both worlds if the answer is "it can't be done," know that such a question is off-topic on this site.) – I say Reinstate Monica – 2018-04-03T21:11:34.643
"via USB disks with a basic OS" - This does not tell me anything helpful. You image your disks with which basic operating system? What software are you using specifically? If I am not mistaken, the current version of WinPE supports BitLocker volumes, which means you can image your Windows installation using DISM or other apprpriate software without an issue. – Ramhound – 2018-04-03T21:36:22.173
1This is a valid question as it stands. The solution is not to figure out how to boot from bitlockered drives. – music2myear – 2018-04-03T22:31:59.717
1We run a fully bitlockered environment. Writing to non-encrypted removable media is simply not possible, but we still need to create the imaging drives. For this we use an older laptop for this and only this purpose. It does not need internet, just USB ports and the tools to image with them. We sneakernet the images to this computer and create the image drives. Because the images are useless off network, and there's even a password before you can use the USBs to begin the image process, there is very little issue with this being a security hole. – music2myear – 2018-04-03T22:35:14.167
Thank you @music2myear. I see what you are saying. So even if I have non-encrypted, imaging USB disks it would not matter because the GPO enforces read-only to non-encrypted drives. So if someone want's their USB drive usable they must encrypt (which enables read-write via GPO). I am currently deploying Bitlocker/MBAM for the first time, so I am assuming this is built into the GPO templates, correct? – Tucker – 2018-04-04T14:45:05.807
1Yes, having unencrypted drives for imaging does not introduce a significant hole to the security of this system because these drives function outside the domain. Once the system is imaged the application of encryption can be automated so it directly follows as part of the imaging process. Usually this would be based on applying encrypting GPOs to the OU systems are dropped into as part of the imaging-domain-join operation. – music2myear – 2018-04-04T15:32:04.783